Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

63f6744d66...e0.exe

windows7-x64

10

63f6744d66...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2024, 21:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe

  • Size

    87KB

  • MD5

    ab639eb2eecd4b4724a4920128ae5c7e

  • SHA1

    fc8a04433be9a046a02e86e1c7d444ff33521836

  • SHA256

    63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0

  • SHA512

    5dc4d1329c64c072d206e4d834291fbc54fb68b2924aa99e260e069f7c588d9396dfed291fba80ebd8ff49fa254f1479e6714cbe18973c05ad5066bd95c19cfa

  • SSDEEP

    1536:1a3+ddygX7y9v7Z+NoykJHBOAFRfBjG3ldoIy:08dfX7y9DZ+N7eB+IIy

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 20 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe
    "C:\Users\Admin\AppData\Local\Temp\63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2560
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2564
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2424
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1868
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2800
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2952
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2696
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1712
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2320
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\63f6744d66d7b0c265c49b9c0925c6e8376eee89babb91c04412e348d577a5e0.doc"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2020

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt
      Filesize

      2KB

      MD5

      1a1dce35d60d2c70ca8894954fd5d384

      SHA1

      58547dd65d506c892290755010d0232da34ee000

      SHA256

      2661c05273f33efa4b7faa6ed8a6f7e69a13ad86077f69ee285ece9cba57e44c

      SHA512

      4abe37613145fabeb44ea4c28ecc827c8a0eb2b003e86ae7aef9be5687711fa7a294f17567ea0a70a6f14ab3cbe7886c83763a7c49278097fd53f0d11fd8154e

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      87KB

      MD5

      074a7cc5deaa6095b37695c8bbce48aa

      SHA1

      45f7a85ffd9ff0cce09d22ee5da5037e50d6e1c8

      SHA256

      d024dd62f7be6473e1d86915ce9cca35cbe62216c8cd51bbe6dabc75b49c53c0

      SHA512

      a43c9d0e17511ae888e1236e300a43d41f21983cc66f630067e0da70b25c85687c34ad7e97a97fa922d55ef68b6afdd8edf04c1d8ea541958f8accaf3ad25446

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      87KB

      MD5

      c238d734a4687c27378f431b5ba87a58

      SHA1

      23cf78211ad7ebe46d13da1fe822f4f0a556e3e2

      SHA256

      aa9130704afe4eafbdb5766d69f11fdfc347ddcad7a983d91f9ceb719aaaad58

      SHA512

      26350935734a01e8d9d3c074e3f9fbac36e1ebdb6e02389da4e27cc6d3467c39f9c9a9d78f70298a628599e49e2b71aa3d9e3f2ba29bbcf289efa6fa6567779b

      Download Submit

    • C:\Windows\Fonts\ Explorer.exe
      Filesize

      87KB

      MD5

      28da013a257d7169cdfe800e79cc01af

      SHA1

      2d275bd23d36a547d864b25049080e58a66df83e

      SHA256

      6c83c23d004634f34e4d21856417381c588705cb32a2d7b400e29a9d6cdef006

      SHA512

      165d63764d1853f39aacf6f26f2a87b873c597caa802c3a88084d33c765b32bf7c831b03adcd37cceea7adc083bc0c2f97c9fa60963c431f647d5602934d6b79

      Download Submit

    • C:\begolu.txt
      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

      Download Submit

    • C:\recycled\SPOOLSV.EXE
      Filesize

      87KB

      MD5

      b52632811d39c6413cb4c0cb1d3db011

      SHA1

      6cedd50085d66ec5044dc863b58b8327ed712424

      SHA256

      012c10921ecc675c24217bd1a464815f20407bf49d30fd1f0c819f6dbc2abc23

      SHA512

      77d62adfae04f2c4b5232f48ea907c6ab400507ab07a1a1de85a647c950dfe019ce9ec15b3953a512bb7ac9f1c7de4857d679d421bb845e64ae35908e01faf96

      Download Submit

    • F:\Recycled\SVCHOST.EXE
      Filesize

      87KB

      MD5

      86f710fef04851fd01d115b4841cb835

      SHA1

      696703b0715697a6d8c1f9e5923a3acf9e71b216

      SHA256

      5ed274e72beb1091d2d1394767108426672ff24423f5505a577e411583045c82

      SHA512

      c52b60266bc333042417994e077910f2b793553d78e1941a2f81d38bde4ff56e73b674358df08a8a7900a91639d03fc31cc65ac4a03b23b2f2e0bb67e4c11c49

      Download Submit

    • \Recycled\SVCHOST.EXE
      Filesize

      87KB

      MD5

      cc0048eba42733e44ce406370b7c25f3

      SHA1

      4e9deb4b81fdde3cfeda927318dcf6f66dfdfad1

      SHA256

      c071532863c03bc6d3de11e0c0fb59424182a9ca899d828be0d064866849ba0d

      SHA512

      788a70494e47f69b494f587361fe0c9b9a3e97a0d13c77dc436a61537cb93ca038a7d72c86062b1bacc16063c94e37c042336ba73fa7e189e97f7d7c87c4e853

      Download Submit

    • memory/1532-118-0x00000000718DD000-0x00000000718E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1532-131-0x00000000718DD000-0x00000000718E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1532-117-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1532-116-0x000000002FAF1000-0x000000002FAF2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1712-105-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1868-78-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/1868-79-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2236-109-0x00000000026D0000-0x00000000026F1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2236-114-0x00000000049C0000-0x00000000049D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2236-115-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2236-17-0x00000000026D0000-0x00000000026F1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2236-23-0x00000000026D0000-0x00000000026F1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2236-0-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2320-111-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2320-112-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2424-61-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2456-91-0x00000000030D0000-0x00000000030F1000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2456-66-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2536-151-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2536-25-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2560-37-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2564-56-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2588-42-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2588-52-0x0000000001CE0000-0x0000000001D01000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2588-50-0x0000000001C10000-0x0000000001C31000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2588-152-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2696-99-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2800-84-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2800-87-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2952-90-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2952-93-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

      Download